CompTIA CySA+ (CS0-003) — Question 334

Several users received a phishing email containing a malicious file that bypassed the organization’s email security tool. Based on the SIEM logs, users did not open the file within the environment. In which of the following phases of the MITRE ATT&CK framework was the attack stopped?

Answer options

• A. Lateral movement
• B. Execution
• C. Initial access
• D. Discovery

Correct answer: B

Explanation

The attack was prevented during the Execution phase since the users did not interact with the malicious file, which would have initiated the execution of the malware. The other phases, such as Initial access, would represent the stage where the threat entered the environment, while Lateral movement and Discovery pertain to actions taken after execution.